Secure Remote Access to your Serial Console Ports "You progress not through improving what has been...

Secure Remote Access to your Serial Console PortsSecure Remote Access to your Serial Console Ports

"You progress not through improving what has been done, but reaching toward what has yet to be done."

-- Kahlil Gibran (1883-1931)

"You progress not through improving what has been done, but reaching toward what has yet to be done."

-- Kahlil Gibran (1883-1931)

BigBand Networks Confidential

BigBand Networks OverviewBigBand Networks Overview

Based in Tel Aviv, Israel– US main office is in Redwood City

Manufactures Digital Video Processing Hardware, primarily used by the Cable TV industry– Chassis are SNMP managed, but can also be

controlled using a Command Line Interface (CLI)

– We’re installing remote access for ‘local’ use, but Tel Aviv engineers will benefit as well.

Based in Tel Aviv, Israel– US main office is in Redwood City

Manufactures Digital Video Processing Hardware, primarily used by the Cable TV industry– Chassis are SNMP managed, but can also be

controlled using a Command Line Interface (CLI)

– We’re installing remote access for ‘local’ use, but Tel Aviv engineers will benefit as well.


Who’s on first (call) tonight?Who’s on first (call) tonight?

How many of you could be paged tonight, to go back to work to help restore an ailing machine to service?

How many could check the status of that ailing machine from the podium, now?

How many wouldn’t worry about exposing your root passwords while doing it?

How many folks would like to be able to do it, without worry?

How many of you could be paged tonight, to go back to work to help restore an ailing machine to service?

How many could check the status of that ailing machine from the podium, now?

How many wouldn’t worry about exposing your root passwords while doing it?

How many folks would like to be able to do it, without worry?


Don’t Worry, it’s easy!Don’t Worry, it’s easy!


Why consoles are importantWhy consoles are important

Local consoles (serial port, or keyboard and screen) are needed when network access and remote control applications have failed.

When in-the-middle network gear has failed

Secure devices want to be configured using a ‘local’ connection.

Some devices don’t have network stacks

Local consoles (serial port, or keyboard and screen) are needed when network access and remote control applications have failed.

When in-the-middle network gear has failed

Secure devices want to be configured using a ‘local’ connection.

Some devices don’t have network stacks


Remote Access to Serial ConsolesRemote Access to Serial Consoles

Most Unix machines support a serial console during operation.

Most non-Intel platforms support boot-up control using the serial console.

Many Intel platform BIOS makers are offering an option for serial console redirection of Power-On Self-Test (POST) messages, but there are limitations, and they are not consistent.

Add-in cards for PCs can provide access!

Most Unix machines support a serial console during operation.

Most non-Intel platforms support boot-up control using the serial console.

Many Intel platform BIOS makers are offering an option for serial console redirection of Power-On Self-Test (POST) messages, but there are limitations, and they are not consistent.

Add-in cards for PCs can provide access!


Virtual PresenceVirtual Presence

If you can remotely access serial consoles– No need to run to the server rooms– Your response to outages/problems is faster– You can easily check machines in other

buildings, even in other cities– Reduced downtime saves the company money!

Time = Money

Downtime = Anti-money– Believe me, it gets measured, somehow

If you can remotely access serial consoles– No need to run to the server rooms– Your response to outages/problems is faster– You can easily check machines in other

buildings, even in other cities– Reduced downtime saves the company money!

Time = Money

Downtime = Anti-money– Believe me, it gets measured, somehow


Terminal Server ReviewTerminal Server Review

How terminal servers provide remote access to consoles– Reverse Telnet

Workstation telnets to Terminal Server address:port 7-bit session? 8-bit clean? Can you escape from the session?

– Vendor-specific port formulae Different ranges for 7-bit, 8-bit...

– Vendor-specific features

How terminal servers provide remote access to consoles– Reverse Telnet

Workstation telnets to Terminal Server address:port 7-bit session? 8-bit clean? Can you escape from the session?

– Vendor-specific port formulae Different ranges for 7-bit, 8-bit...

– Vendor-specific features


Terminal & Console ServersTerminal & Console Servers

Terminal Servers were designed to allow ‘dumb terminals’ to access hosts on IP networks.

Reverse Telnet allowed users on the network to connect to serial ports on terminal servers

Console Servers are a newer, enhanced Terminal Server, meant for supporting console access.

Terminal Servers were designed to allow ‘dumb terminals’ to access hosts on IP networks.

Reverse Telnet allowed users on the network to connect to serial ports on terminal servers

Console Servers are a newer, enhanced Terminal Server, meant for supporting console access.


Basic Serial HookupsBasic Serial Hookups

Console Server connected to the same LAN with the hosts

Serial connections from the consoles of each host to the Console Server

Console Server connected to the same LAN with the hosts

Serial connections from the consoles of each host to the Console Server


Security is already availableSecurity is already available

Most Console Servers have SSL and/or SSH implementations for access

Many have IP access control, so you can allow connections only from ‘trusted hosts’ to the high TCP ports

You can also set up your access so users need to use SSH, or other secure methods to authenticate on the trusted host before they can connect to the Console Server

Physical access should be part of your plan

Most Console Servers have SSL and/or SSH implementations for access

Many have IP access control, so you can allow connections only from ‘trusted hosts’ to the high TCP ports

You can also set up your access so users need to use SSH, or other secure methods to authenticate on the trusted host before they can connect to the Console Server

Physical access should be part of your plan


Advanced (Security) ArchitectureAdvanced (Security) Architecture

Addressing Security Concerns– Add a management Network– Put console server and clients there– Added security costs money…

Addressing Security Concerns– Add a management Network– Put console server and clients there– Added security costs money…

H1 2 3 4H H H

LAN

serial

session

MGMT

TS A

CS 1 NMS

logging

R1

CC


Logging Adds Value to your AccessLogging Adds Value to your Access

With the Terminal/Console Server, only one person can be connected to a single port at any given time.

Using an intermediary server allows for logging, and multi-user access, and easier access/restriction authorization.

Logging mechanisms make it easier to automate monitoring and reporting, and provide forensic details for post-event analysis of events.

With the Terminal/Console Server, only one person can be connected to a single port at any given time.

Using an intermediary server allows for logging, and multi-user access, and easier access/restriction authorization.

Logging mechanisms make it easier to automate monitoring and reporting, and provide forensic details for post-event analysis of events.


Advanced Architecture, Part TwoAdvanced Architecture, Part Two

Adding a Conserver host– Conserver host makes all Reverse TCP calls– CC is now a Conserver client– Client connects to Conserver host– Clients are connected to logging streams

Adding a Conserver host– Conserver host makes all Reverse TCP calls– CC is now a Conserver client– Client connects to Conserver host– Clients are connected to logging streams


Connecting Serial DevicesConnecting Serial Devices

Most Console Server hardware vendors don’t have a wide variety of cables and adapters

Usually left as an exercise for the hardware buyer

Pre-wired adapters will make your life easier!

Check the host-to-adapter web pages for more clues.

Most Console Server hardware vendors don’t have a wide variety of cables and adapters

Usually left as an exercise for the hardware buyer

Pre-wired adapters will make your life easier!

Check the host-to-adapter web pages for more clues.


Connecting Consoles/DevicesConnecting Consoles/Devices

Establish the Physical Link First.

Use Pre-wired Adapters.

Use Passive Signal Tracers.

Use 8-wire cable, CAT-5 preferred

Establish the Physical Link First.

Use Pre-wired Adapters.

Use Passive Signal Tracers.

Use 8-wire cable, CAT-5 preferred

2 3 4 5 6 8

11 20


Establish a Physical Link FirstEstablish a Physical Link First

It’s easy to debug software settings when you know the physical link is in place.

It’s easy to establish the physical link with pre-wired adapters.

Testing the physical link is easier with an RS-232 Signal Tracer.

It’s easy to debug software settings when you know the physical link is in place.

It’s easy to establish the physical link with pre-wired adapters.

Testing the physical link is easier with an RS-232 Signal Tracer.


So Many PossibilitiesSo Many Possibilities

Not only are the choices finite, but the number of choices is rather small.

Four choices for each connector type.

Not only are the choices finite, but the number of choices is rather small.

Four choices for each connector type.


Whittling down the listWhittling down the list

When connecting devices, you know the connector type, and the gender(s)…

Pick one connector for one end, and take one of each for the other end!

When connecting devices, you know the connector type, and the gender(s)…

Pick one connector for one end, and take one of each for the other end!


Use Pre-Wired AdaptersUse Pre-Wired Adapters

Saves time (no assembly)

Consistent wiring (no mistakes)

Consistent colors and labels.

Assortments make it easy.

Console guides available– http://www.conserver.com/consoles/– http://www.stokely.com/

Saves time (no assembly)

Consistent wiring (no mistakes)

Consistent colors and labels.

Assortments make it easy.

Console guides available– http://www.conserver.com/consoles/– http://www.stokely.com/


Time SynchronizationTime Synchronization

Important for logging– backup and file sharing too

Comparing logs from many devices after an ‘event’?– Security devices– Hosts, servers– Network (routers, switches, load balancers)– Check non-network devices often

Important for logging– backup and file sharing too

Comparing logs from many devices after an ‘event’?– Security devices– Hosts, servers– Network (routers, switches, load balancers)– Check non-network devices often


Real World ExamplesReal World Examples

There are many sites around the world using Conserver today, to control enterprise installations, as well as running small-but-vital server cores.

Conserver.com has a searchable email digest, if you want to go digging…

There are many sites around the world using Conserver today, to control enterprise installations, as well as running small-but-vital server cores.

Conserver.com has a searchable email digest, if you want to go digging…


SynopsysSynopsys

Multiple distributed data centers

35+ field offices

Field sites host a Conserver

Router supports– Dial-in/out ISDN access– Local authentication– Console ports

Multiple distributed data centers

35+ field offices

Field sites host a Conserver

Router supports– Dial-in/out ISDN access– Local authentication– Console ports


Synopsys Basic Field OfficeSynopsys Basic Field Office

WAN for main traffic

PSTN (ISDN) for field dialup– (Public Switched Telephone Network)

Local Conserver Host

WAN for main traffic

PSTN (ISDN) for field dialup– (Public Switched Telephone Network)

Local Conserver Host

CS 1

Internetserial

H1

2H

RouterDSU

P.S.T.N.ISDN


TellmeTellme

Two main data centers

1700+ consoles

Secure access to each center

Not distributed mode

PIC Dog!– LCD display– Temperature– Soft power control– Messaging and more

Two main data centers

1700+ consoles

Secure access to each center

Not distributed mode

PIC Dog!– LCD display– Temperature– Soft power control– Messaging and more


WebTV/MSNTVWebTV/MSNTV

Three data centers (distributed)– Dedicated management network

2000+ console ports

25+ terminal servers

Centralized change control

Backup hosts at each data center– Backup host can also mange the console of the

primary host!

Three data centers (distributed)– Dedicated management network

2000+ console ports

25+ terminal servers

Centralized change control

Backup hosts at each data center– Backup host can also mange the console of the

primary host!


Wrap-upWrap-up

Suggested Reading and Vendor Info pages are at the rear of the presentation.

Q&A?

Thanks for your interest!

Suggested Reading and Vendor Info pages are at the rear of the presentation.

Q&A?

Thanks for your interest!


Suggested ReadingSuggested Reading

Aurora Technologies– http://www.auroratech.com/– A good primer for console services, and an

even-handed discussion of “Distributed Servers” versus “Console Servers plus Terminal Servers” topic

Cyclades– http://www.cyclades.com/– A different view, discussing remote

management in terms of consoles, remote power, and remote control applications.

Aurora Technologies– http://www.auroratech.com/– A good primer for console services, and an

even-handed discussion of “Distributed Servers” versus “Console Servers plus Terminal Servers” topic

Cyclades– http://www.cyclades.com/– A different view, discussing remote

management in terms of consoles, remote power, and remote control applications.


Web LinksWeb Links

Stokely Consulting– http://www.stokely.com

Conserver.Com– http://www.conserver.com/

http://www.conserver.com/consoles/

Stokely Consulting– http://www.stokely.com

Conserver.Com– http://www.conserver.com/

http://www.conserver.com/consoles/


Vendor LinksVendor Links

Cisco Systems– The 2600 and 3600 series.– Use the NM-32A 32-port modules.– Americable sells patch panels.

Xyplex, iTouch Communications– The InReach line is now “Sun-safe”– The older Xyplex line is NOT!

Cisco Systems– The 2600 and 3600 series.– Use the NM-32A 32-port modules.– Americable sells patch panels.

Xyplex, iTouch Communications– The InReach line is now “Sun-safe”– The older Xyplex line is NOT!


Vendor Links, cont’d.Vendor Links, cont’d.

Cyclades– Built-in Linux core– TS2000 is a great device!– PC multi-port cards available– Most products are Sun-safe

Digi Communications– Many devices available– PortServer CM is a good tool– Many products are now Sun-safe

Cyclades– Built-in Linux core– TS2000 is a great device!– PC multi-port cards available– Most products are Sun-safe

Digi Communications– Many devices available– PortServer CM is a good tool– Many products are now Sun-safe


Vendor Links, cont’d.Vendor Links, cont’d.

Perle (Perle Systems Ltd.)– CS9000 is Sun-safe– Cables, status LEDs on same side

Good or bad? You decide…

– Good integration with MS Windows May be useful in a mixed environment

Lantronix– Still a workhorse in the industry

Perle (Perle Systems Ltd.)– CS9000 is Sun-safe– Cables, status LEDs on same side

Good or bad? You decide…

– Good integration with MS Windows May be useful in a mixed environment

Lantronix– Still a workhorse in the industry


Accessory Vendor InfoAccessory Vendor Info

Nu-Data non-BREAK adapters

PC Weasel in-server cards

ASP Technology– CatWalk interface– Power interface for Xyplex, Digi

DataTran passive signal tracers

Nu-Data non-BREAK adapters

PC Weasel in-server cards

ASP Technology– CatWalk interface– Power interface for Xyplex, Digi

DataTran passive signal tracers


Accessory Vendor InfoAccessory Vendor Info

Weeder Technologies– Serial interfaces for process control– Counters, timers, motor control– Analog and digital I/O

Black Box Corporation

Patton Electronics

Weeder Technologies– Serial interfaces for process control– Counters, timers, motor control– Analog and digital I/O

Black Box Corporation

Patton Electronics


Remote Power ControlRemote Power Control

American Power Conversion– MasterSwitch line

BayTech– RPC product line

Server Technologies– Sentry product line

American Power Conversion– MasterSwitch line

BayTech– RPC product line

Server Technologies– Sentry product line


AmericableAmericable

Custom cables and adapters– Serial adapter kits for consoles

Annex/Bay/Nortel Cisco/Lantronix IOLAN iTouch/Xyplex

Short power cords

Fiber and Ethernet gear/cables

Fast turnaround

Custom cables and adapters– Serial adapter kits for consoles

Annex/Bay/Nortel Cisco/Lantronix IOLAN iTouch/Xyplex

Short power cords

Fiber and Ethernet gear/cables

Fast turnaround

Secure Remote Access to your Serial Console Ports "You progress not through improving what has been...

Documents

Transcript of Secure Remote Access to your Serial Console Ports "You progress not through improving what has been...